June Invoice with a subject line of inovice <random number> June is another one from the current bot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
Note the spelling mistake in the subject line of the email inovice 9667444 June rather than invoice
Updated 9 June with a new run but the malware is a fake PDF today not the original XLS file. Still got the spelling mistake in the subject though
10 June 2014: A slightly different updated version today Company Tax Return – CT600_4938297 June – fake PDF malware
Updated 14 August 2014. A new run of these with July invoice as subject, inovice <random number> July Note still the misspelled invoice in subject line. Latest malware payload is invoice_3152880.zip which extracts to Invoice_8753_14_08_2014.xls.exe with a virustotal detection rate of 3/54
Update 15 August
A big change to the malware payload today. Instead of a zip file with a fake PDF or a fake XLS file, they have attached what appears to be a genuine PDF that is malformed and contains a script virus that will infect you with no action on your part. Just previewing the PDF in your email client, browser or in windows explorer is probably enough to infect you.
Adobe has issued an update to fix this 0 day exploit in both Adobe reader and Adobe Flash.
Of course it could be a totally separate attack and exploit that these malicious PDF files are using , but the coincidence is too great
Please also read my previous post about this type of attack https://myonlinesecurity.co.uk/infected-malformed-pdf-attachments-emails/
Update 18 August 2014: today they are sending another big run of these malformed PDF files. The subject reads order-227-8.17.2014.pdf ( all order numbers are totally random but the date part stays consistent 8.17.2014 ) and a totally blank email body. Current virus total detections 12/54 the alleged senders all appear to have a common first name like fred, joe, mary, jeffry, Claire etc and loads of weird characters or numbers
Updated 20 August 2014: Back to the fake XLS invoices with a subject of Inovice 8602456 August ( random invoice numbers of course) Note it still has the misspelled invovice subject. Today’s malware has a current VirusTotal detection rate of 2/53
Update 22 August 2014: Back to malformed PDF with a script virus embedded that can easily infect you just by previewing the attachment, if you have an outdated or vulnerable,version of Adobe or other PDF readers. Today’s malware has a current virus total detection rate of 6/55 The subject is inovice_AUG_5334055.pdf ( random number ) This downloads a Gameover Zeus version from a hacked website scalfordhall.co.uk/wp-content/themes/twentyeleven/images/111.exe which like a lot if indeed not all infected websites is using out of date and vulnerable software. This malware has a current virus total detection rate of 2/55
Update 26 August 2014: now using the more traditional fake PDF. There are currently 3 different versions spreading today Todays invoice has a VirusTotal detection rate of 4/55 and 2nd version 4/55 3rd version 5/55
Email simply says:
This email contains an invoice file attachment
6 June 2014: invoice_9667444.zip ( 49kb) : Extracts to June_invoice_7846935978.xls.exe Current Virus total detections: 1/51
9June 2014: invoice_4982264.zip ( 63kb) : Extracts to invoice_98372342598730_pdf.exe Current Virus total detections: 3/52
This June Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper xls ( Microsoft excel spread sheet) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.